A traceroute is a technique for determining a path used by packets traveling through the network from one endpoint to a remote endpoint. Determination of this path is useful when diagnosing connectivity issues between the two endpoints.
Traceroute involves first sending an Internet Protocol (IP) packet with a Time-To-Live (TTL) value equal to one to a remote host on an unused UDP port. When a first on-path router receives the IP packet and decrements the TTL value to zero, the first on-path router drops the entire message and sends back an Internet Control Message Protocol (ICMP) packet indicating that the IP packet's lifetime has been exceeded. This ICMP error packet contains the IP header and first eight bytes of the payload from the IP packet that exceeded it's lifetime. When the payload is UDP, this information will include the packets source IP-address and port as well as its length. Next, the endpoint sends another IP packet with a TTL value equal to two, which reaches a second on-path router before eliciting the ICMP communication. This process continues until an IP packet has a sufficient TTL value to reach the remote endpoint. When an IP packet reaches the remote endpoint, the receipt of a UDP packet on an unused UDP port elicits an invalid port ICMP error signaling packet from the remote endpoint, which indicates completion of the traceroute.
On-path security devices can interfere with traceroutes by observing the addressing of the packets to the unused UDP port, and blocking those packets from reaching the remote endpoint. When the packets are blocked, the invalid port ICMP error is not elicited and the traceroute does not complete. The disclosure that follows solves these and other problems.